From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

ShmooCon begins today in DC, and as usual, they have lined up an informative and topical schedule of security talks. The HP Web Security Research Group's own Prajakta Jagdale is scheduled to speak on Saturday at 2pm about the security of applications developed using the Adobe Flash Platform. Prajakta and the group have completed an in-depth research project where they studied numerous applications built on the Adobe Flash Platform and found that many of the security issues that are common in Web applications also exist in applications developed with Adobe Flash. Here is an overview of Prajakta's ShmooCon talk and a little bit about her background: In a rush to adopt the dazzling Flash technology, website developers tend to use quick and dirty hacks to get their applications to work and in the process sidestep any security features provided by the technology. The presentation will look at applications built on the Adobe Flash Platform encountered in the wild that are a result of insecure development practices and demonstrate the ease with which they can be compromised. Prajakta Jagdale is a Research Engineer with the HP Web Security Research Group. Her current research efforts are concentrated towards identifying security risks associated with RIA technologies. This research involves developing innovative techniques to enable automated web assessment tools to crawl and analyze RIA applications through the use of both static source code analysis and dynamic runtime analysis.

It appears that the source code to Jikto is in the wild. I suppose it was only a matter of time, even though as you will see SPI to extreme steps to prevent this from happening.

As my Shmoocon presentation slides discuss, Jikto bypasses the "Same Origin Policy" by using a proxy website like the-cloak, proxydrop, Google Translate, etc. This allows Jikto's code and the content of 3rd party sites to be loaded into the same security domain (ie the proxy sites), and thus read the responses. I believe pdp of GNUCITIZEN first discussed this and I based much of Jikto off his work. The consequence of this means that Jikto's code had to exist somewhere on the public Internet when I did my demo. Worse, when I got to Shmoo I saw that I didn't have a hard connection to the Internet, only wireless. This means anyone in the audience sniffing traffic would see where Jikto was and get a copy. Obviously I couldn't let that happen.

Instead I VPNed into SPI. This created an encrypted tunnel. I then remotely connected to my Desktop machine at work and did the demo from there. This means no one in the audience could sniff traffic and see where Jikto was stored. The problem is if someone watched very closely they could see the URL of where Jikto's code was. I ran all my traffic on the work machine through a proxy to show all the requests Jikto was making. The first request would have been to grab Jikto's code. Someone could have seen the URL and grabbed it.

Which is exactly what happened! A guy named LogicX grabbed a copy this way and posted it on Digg just a day after Shmoocon. However I contacted LogicX and asked him to take it down. I'm thankful he did. However, it seems someone else grabbed either his copy before it was removed or grabbed the code themselves at Shmoocon just like LogicX did.

The long and short of all of this is Jikto's code is in the wild. Regardless what you might have heard, SPI didn't leak it. Even LogicX admitted he snatched it because he got lucky. I suppose it was only a matter of time.